Department of Health and Human Services Increases Pace of HIPAA Enforcement Penalties

It is only August, but already this year more than $20.4 million dollars have been exacted in penalties against providers under the Health Insurance Portability and Accountability Act (HIPAA). This amount surpasses the previous annual record of $7.9 million set in 2014 – and it is just August.

On August 4, 2016, the Office of Civil Rights at the US Department of Health and Human Services (HHS) announced that Advocate Health Care Network (Advocate) will pay $5.5 million dollars for lax data security and breaches of protected health information affecting patients.

Advocate's problems began when four unencrypted company computers were stolen from its offices. The computers contained patients' names, addresses, dates of birth, social security numbers, and clinical information. Advocate self-reported the incident pursuant to the HIPAA breach notification rule's mandatory reporting requirements.

The subsequent investigation by HHS revealed additional compliance issues including Advocate's failure to adequately assess risk to electronic protected health information (ePHI), failure to properly limit access to electronic systems, failure to obtain agreements with business associates to safe guard ePHI, and a continuing problem with employees leaving unencrypted laptops in vehicles.

In the current enforcement environment, health care providers and business associates are cautioned to revisit their HIPAA compliance policies. Having in place a documented and updated HIPAA security analysis and an effectively implemented compliance program will prove the best defense in the event of data breach and subsequent HHS investigation. Having made an example of providers like Advocate, HHS has made clear that lackluster HIPAA compliance can be costly to the provider's bottom line.